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REMARKS 

In the final Office Action mailed January 4, 2007, the Examiner noted that claims 52-1 1 0 
were pending and rejected claims 52-110. However, claims 1-110 are pending for 
reconsideration which is requested. The Examiner's rejections are traversed below. 

Clarification of the Action Is Requested 

There is considerable confusion by the undersigned about the status of the claims in this 
case and about what exactly is being used to reject the claims. As will be seen from examining 
the originally filed reissue application papers, the reissue application was filed with claims 1-110 
with claims 52-1 1 0 being added to the original claims of the patent. 

The Examiner apparently considers the application to only include claims 52-1 10. As a 
result, claims 1-51 have not been yet examined in this reissue application. Examination of 
claims 1-51 is requested. 

There is additional confusion over what exactly is being used to reject the claims. In two 
places in the Action mailed 1/4/7 the Examiner asserts that the claims are being rejected as 
anticipated over Cozza (see page 2, paragraph 4 and paragraph 5). However, in the body of the 
rejection in paragraph 4 of pages 2-3 the Examiner refers to Arnold. This problem was brought 
up in the prior filed response and clarification was requested: 

Further on page 3 of the Action in the anticipation rejection over Cozza, the 
Examiner appears to include Arnold in the rejection ("As per claims 53 and 54, 
Arnold discloses ..." see Action page 2, line 6). Clarification of the type 
(anticipation or obviousness) of rejection of claims 53 and 54 and clarification of 
which references (Cozza or Cozza and Arnold) are being used in the rejection is 
requested. 
(See Response of 8/15/6 page 9) 

Because of this confusion the applicant responded to the prior Action assuming that the Cozza 
reference was being used to reject the claims in the anticipation rejection. 

The Examiner has still not clarified this issue. Clarification is again requested. 

It is requested that the record be clarified concerning the status of the claims and what is 
being used to reject the claims. 

Art Rejections 

In an effort to keep this application progressing even in the face of the confusion this 
response, applicant is responding as if both Cozza and Arnold are being used to reject the 
claims as anticipated. 
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Cozza 

Independent claim 52 emphasizes "a saving unit saving a detected virus-infected file into 
a specific area within said storage device" (see also claims 57, 62 and 1 1 0), independent claims 
67, 75, 88, 94, 1 01 , 1 07 and 1 08 emphasize that the infected file is quarantined, independent 
claims 72, 79, 84, 85, 92, 97, 98 and 105 emphasize encrypting an infected file and independent 
claim 109 emphasizes isolating an infected file from other files. 

In contrast, Cozza is directed at: 

The method and apparatus for increasing the speed at which computer viruses 
are detected stores initial state information concerning the file or volume which is 
being examined for a virus. This information is stored in a cache in a non-volatile 
storage medium and when files are subsequently scanned for viruses, the current 
state information is compared to the initial state information stored in the cache. If 
the initial state information differs from the current state information then the file 
or volume is scanned for viruses which change the state information of the file or 
volume. If the initial state information and current state information is the same 
then the file or volume is scanned for a subset of viruses which do not change the 
state information. 
(See Cozza Abstract) 

The method and apparatus of the present invention for scanning files for 
computer viruses relies on the fact that viruses invariably change the file or 
volume they infect. Consequently, information detailing the initial "state" of an 
uninfected file or volume can be "cached" or securely saved to disk or other non- 
volatile storage medium. The cached information is dependent not only on the 
type of machine the scanning program is running on, but also on viruses' method 
of infection on that type of machine. The stored information can be tailored to 
meet the variety of situations found in present and future computing 
environments. 

Once the initial "state" information has been stored to a disk or other non-volatile 
storage medium, the method and apparatus of the present invention can use this 
cached information in future virus scans to determine what files and/or volumes 
have changed in a way indicative of most virus infections. In many applications 
this information alone is enough to eliminate the need to scan a file/volume for 
most, if not all, viruses. The result is a substantial improvement in scanning time, 
in return for a very modest cost in terms of disk or other non-volatile storage 
medium. 
(See Cozza Summary) 

The process for scanning each file in a volume will now be described with 
reference to FIG. 3. For each file on a volume that is to be scanned, the cache is 
searched for the presence of the file's cache information in step 40. This is 
indicated by the presence or absence of the file's file id in the cache (see FIG. 4). 
Note that if the cache did not exist or if it was invalid, then the file will not be found 
as the in-memory cache was zeroed. If the file's information is not found 
(indicating that the file needs to be freshly scanned), then it is scanned for a full 
complement of viruses, including those that infect the file resource fork in step 42 
and those that infect the data fork in step 44. 

If the file's scan information is found in the cache then the resource fork length of 
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the file is compared with that stored in the cache in step 46. If the resource fork 
lengths differ, then the file resource fork has been modified and must be 
rescanned in step 48 for a full complement of viruses that infect resource forks. If 
the resource fork size is identical with that stored in the cache, then only a subset 
of viruses which infect resource forks must be scanned for in step 50. That is, the 
program must only scan for viruses which infect resource forks but do not change 
the length of the resource fork, or which have the capability of modifying the scan 
cache in a attempt to hide themselves. For example, at the present time there are 
no such viruses that affect the resource forks of files on Apple Macintosh 
computers without changing the resource fork length, so no scanning would be 
necessary in step 50 if this scanning method is used with an Apple Macintosh 
computer. 

If the file's scan information is found in the cache, then the data fork length of the 
file is also compared with that stored in the cache. If the data fork length is 
determined to differ in step 52, then the file data fork has been modified and must 
be rescanned for a full complement of viruses that infect data forks in step 54. If 
the data fork size is identical to that stored in the cache, then only a subset of 
viruses which infect data forks must be scanned for in step 56. Specifically, the 
program need only scan for viruses which infect data forks but do not change the 
length of the data fork, or which have the capability of modifying the scan cache 
in an attempt to hide themselves. 

After all virus scanning for a file is completed, the scan cache must be updated. It 
is preferable to keep a second, new cache in memory separate from the original 
cache and update that with the new information for each file on the disk (thus 
eliminating outdated information in the old cache). To update the cache, the scan 
results are checked to determine whether any virus was found in step 58. If a 
virus was found, then the scan cache is updated with zeroed information for the 
file in step 60, which will force the file to be completely scanned again in the 
future. If no viruses were found in the file, then the file's scan information is added 
to the new cache in step 62. This information includes the file's ID, resource fork 
length and data fork length. Steps 38 through 64 are repeated for each scannable 
file on the disk. When all files have been scanned on the volume, the new, 
updated cache is written to disk on the volume scanned (34). 
(see Cozza, col. 4, line 18-col. 5, line 7) 

Cozza discusses using a cache information file containing state information about a 
change in a file to speed up virus scanning. Cozza says nothing about "saving a detected virus- 
infected file into a specific area within said storage device" as recited in claim 52 much less 
about the features of independent claims 57, 62 and 110, the features of independent claims 67, 
75, 88, 94, 1 01 , 1 07 and 1 08, the features of independent claims 72, 79, 84, 85, 92, 97, 98 and 
105 and the features of independent claim 109, or about the features of the dependent claims 
such as claim 70. 

Arnold 

Arnold states: 

In operation, original copies of the decoy programs are stored securely, by 
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example in encrypted form or on a separate server, along with checksums of the 
originals. After a specified time interval, or after other specified conditions are 
met, checksums of some or all of the decoy programs are taken and compared 
directly to their originals. Alternatively, the decoy programs are compared directly 
to their originals. If none of the decoys are found to have changed, the user is 
alerted to the fact that an anomaly of some sort was detected, but that the system 
was unable to find conclusive evidence of a virus. In this case, it is desirable to 
maintain the system in a moderate state of alert for some time period, exercising 
the decoy programs at a reduced priority or less frequent intervals. 

(See Arnold, col. 6, lines 21-36) 

If one or more decoy programs is subsequently found to have changed from the 
original, protected version, it can be assumed that the changes are due to a virus. 
A comparison of each modified decoy program with its corresponding uninfected 
version enables a copy of the virus to be isolated from each decoy. 

(See Arnold, col. 7, lines 3-9) 

Results of each stage of the progress from initial capture of an unknown virus to 
the extraction of a signature for the captured virus (Blocks J through N) are 
recorded in a report. If the user is on a network, the report is sent to a network 
server, and a message is sent to alert the network administrator to the generated 
report. The administrator preferably forwards the report to a virus expert so that 
the newly identified virus can be analyzed further and the signature distributed 
with a next release of the immune system software. 

In particular, the report includes encrypted versions of the decoy programs, in 
both their original and virus-modified forms, the merged virus code samples, and 
the extracted signature. If difficulties are encountered at any stage, for example, 
code portions of the signature could not be identified, or more than one merged 
virus code sample exists (indicating possible polymorphism), these conditions are 
also noted in the report. 
(See Arnold, col. 26, line 66 - col. 27, line 1 5) 

First, as can be seen Arnold is dealing with decoy programs not files. Second, as can 
also be seen, Arnold relies on comparing checksums or comparing the decoy programs directly. 
Third, as can be seen Arnold says nothing about "a storage device storing files " or "a virus 
scanner detecting if a file stored in said storage device is infected with a virus " or "a saving unit 
saving a detected virus-infected file into a specific area within said storage device " as recited in 
claim 52 much less about the features of independent claims 57, 62 and 110, the features of 
independent claims 67, 75, 88, 94, 101, 1 07 and 1 08, the features of independent claims 72, 79, 
84, 85, 92, 97, 98 and 105 and the features of independent claim 109, or about the features of 
the dependent claims such as claim 70. 

It is submitted that the present claims patentably distinguish over Cozza or Arnold and 
Cozza with Arnold and withdrawal of the rejection is requested. 

It is submitted that the claims are not taught, disclosed or suggested by the prior art. The 
claims are therefore in a condition suitable for allowance. An early Notice of Allowance is 
requested. 
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If any further fees, other than and except for the issue fee, are necessary with respect to 
this paper, the U.S.P.T.O. is requested to obtain the same from deposit account number 19- 
3935. 

Respectfully submitted, 
STAAS & HALSEY LLP 



Date: July 3. 2007 By: /J. Randall Beckers 

J. Randall Beckers 
Registration No. 30,358 

1201 New York Avenue, NW, Suite 700 
Washington, D.C. 20005 
Telephone: (202)434-1500 
Facsimile: (202)434-1501 
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